Vulnerability and Exploit Detector

Purpose

The Vulnerability and Exploit Detector for
Microsoft®Windows® NT consists of the executable
files SENTINEL.DLL and SENTINEL.EXE.
They are used as canaries to indicate the execution of bogus
or rogue
DLLs
and programs from unintended or unwanted locations, typically in
order to detect and demonstrate programming errors which lead to
weaknesses and vulnerabilities, or to catch and detect (malicious)
code which exploits such weaknesses and vulnerabilities.
When placed in trusted locations of the search path, before
untrusted locations like the
CWD, they
additionally act as sentinels and prevent the execution of
bogus or rogue
DLLs
and programs.

Operation

SENTINEL.EXE is typically placed as
PROGRAM and/or PROGRAM.EXE in the
root directory of Windows'system drive%SystemDrive%; if creation of 8.3 filenames is enabled
SENTINEL.EXE can be copied as is and a short
8.3 filename PROGRAM or PROGRAM.EXE set:

SENTINEL.DLL is placed in the
CWD and/or
the application directory of programs which load
DLLs during
load-time
and/or
runtime,
using the filename of one or more
DLLs loaded by the
respective program or any (other)
DLL loaded by it.
Note: on systems with AMD64 alias
x64 processor architecture, SENTINEL.DLL
is loaded only if its execution environment matches that of the
calling process!

When executed, SENTINEL.DLL and
SENTINEL.EXE write a message similar to that shown
above to Windows'Event Log using the
source Vulnerability and Exploit Detector.
To retrieve these messages from the Event Log, start a
Command Prompt and run the following command line:

"%SystemRoot%\System32\WBEM\WMIC.exe" NTEvent Where "SourceName='Vulnerability and Exploit Detector'" Get /Value

When SENTINEL.EXE runs in an interactive user session
it also displays the message box shown above.
Note: the calling process can only be determined
if it still exists and SENTINEL.EXE runs in the same
(unprivileged) security context as the calling process, on systems
with AMD64 alias x64 processor
architecture also in the same (32- or 64-bit) execution environment
as the calling process!
To test SENTINEL.EXE, execute it per double-click from
Windows Explorer or call it from a
Command Prompt.

When SENTINEL.DLL runs in an interactive user session
it also displays one or more message boxes similar to the one shown
above.
Note: the message box displayed during the initial
call of SENTINEL.DLL
(DLL_PROCESS_ATTACH)
offers the choice to return success or failure to the
calling process. The Win32 functions
LoadLibrary()
and
LoadLibraryEx()
yield error 1114 alias
ERROR_DLL_INIT_FAILED
for failure, while Windows' module loader
yields
NTSTATUS
0xC0000142 alias
STATUS_DLL_INIT_FAILED.
To test SENTINEL.DLL, open a
Command Prompt and run one of the following command
lines:

Limitation

When SENTINEL.DLL is (renamed and) used as
static (load-time) dependency
of an arbitrary executable (a program or another
DLL), loading of
this executable usually fails due to unresolved external symbols or
ordinals, and SENTINEL.DLL is not run:
SENTINEL.DLL does not
export
the symbols and ordinals of the originalDLL.

This limitation can be overcome by forwarding the missing
exports
to the originalDLL using a
.def
file:

Caveat: forwarding is only possible to
DLLs with extension
.dll!
Note:originalDLLs located in
Windows'system directory%SystemRoot%\System32\ can be referenced with their
relative pathname System32\‹filename›
since the
windows directory%SystemRoot%\ is in the search path too.

A complete set of 32-bit forwarderDLLs for all
systemDLLs
of Windows XP and Windows 7 is available
upon
request.

Background information

Execution of bogus or rogue programs

The most prominentnotorious, well-known and
well-documented example is the unintended execution of
%SystemDrive%\Program.exe or (for example)
"%SystemDrive%\Program Files\Internet.exe"
alias
"%ProgramFiles%\Internet.exe"
instead of the intended execution of (again for example)
"%SystemDrive%\Program Files\Internet Explorer\IExplore.exe"
alias
"%ProgramFiles%\Internet Explorer\IExplore.exe"
due to missing quotes around the long filename or pathname
of the executable file that contains spaces when used in a command
line like
%SystemDrive%\Program Files\Internet Explorer\IExplore.exe -nohome
alias
%ProgramFiles%\Internet Explorer\IExplore.exe -nohome.

The (to say the very least) weirdbraindead
behaviour of these Win32 functions which lets this
beginner's error go undetected (without a properly named
sentinel placed aside all executable files with a space in
their name and all directories with a space in their name which
contain executable files) is documented in the
MSDN
articles referenced above under the heading Parameters and
exists since the introduction of long filenames with
Win32 in Windows NT 3.1 (and of course
Windows 95 too) more than 20 years ago:

[…] the module name must be the first white space-delimited
token in the lpCommandLine string. If you are using a long
file name that contains a space, use quoted strings to indicate
where the file name ends and the arguments begin; otherwise, the
file name is ambiguous. For example, consider the string
"c:\program files\sub dir\program name".
This string can be interpreted in a number of ways. The system
tries to interpret the possibilities in the following order:

c:\program.exe files\sub dir\program name

c:\program files\sub.exe dir\program name

c:\program files\sub dir\program.exe name

c:\program files\sub dir\program name.exe

These Win32 functions play
try & error where they should
but fail and return an error to their caller!

Note: the following rules of interpretation are
missing in the documentation:

all possibilities are tried without the extension .exe
first (executable files don't need to have an extension at all);

all possibilities where both a matching file with extension
.exe and a matching directory without extension exist
are discarded;

except for the last possibility matching directories are discarded.

To perform a quick (but non-exhaustive) check whether your
Windows installation is affected, start a
Command Prompt, run the following command lines, and
inspect their output:

If any element of the command string contains or might contain
spaces, it must be enclosed in quotation marks. Otherwise, if the
element contains a space, it will not parse correctly.
For instance, "My Program.exe" starts
the application properly. If you use
My Program.exe without quotation marks, then the
system attempts to launch My with
Program.exe as its first command line argument.
You should always use quotation marks with arguments such as
%1 that are expanded to strings by the Shell,
because you cannot be certain that the string will not contain a
space.

The command line must specify a fully qualified absolute path to
the file, followed by optional command-line options. Use quotation
marks appropriately to ensure that spaces in the command line are
not misinterpreted.

lpBinaryPathName [in, optional]

The fully qualified path to the service binary file. If the path
contains a space, it must be quoted so that it is correctly
interpreted. For example, "d:\\my share\\myservice.exe"
should be specified as
"\"d:\\my share\\myservice.exe\"".

To perform a quick (but non-exhaustive) check whether your
Windows installation is affected by the other two
aforementioned bugs, start a Command Prompt, run the
following command lines and inspect their output:

Use the batch script
SLOPPY.CMD
to perform all the checks listed here, above and below.
For a more thorough check download, read and run the batch scripts
SLOPPY7X.CMD
and
SLOPPY7D.CMD.

If you detect a simple filename or a partial (relative) pathname
instead of a full (absolute) pathname or an unquoted argument
(anywhere, not only) in the command lines printed
by FType, direct the author(s) of the vulnerable
software (for example) to the
MSDN
articles referenced above and request a fix for this well-known
vulnerability!

Also ask the author(s) of the defective software why they don't use
Application Verifier
to test their software!

Calls to the CreateProcess API function are subject to attack if
parameters are not specified correctly. AppVerifier generates an
error if CreateProcess (or other related API functions) are called
with a NULL lpApplicationName parameter and an
lpCommandLine parameter that contains spaces. For example,
it does not allow the following as the command line parameter:

c:\program files\sample.exe -t -g c:\program files\sample\test

Using this command line, an application can inadvertently execute
unwanted code if a malicious user installs his program to
C:\Program.

The server must register the full path to the installation location
of the DLL or EXE module for their respective
InprocServer32, InprocHandler32,
and LocalServer32 keys in the registry.

This is a REG_SZ value that specifies the full
path to the executable name […]

Specifies the full path to a 16-bit local server application.

Specifies the full path to a 32-bit local server application.

[…]

The ServerExecutable value, which is of type
REG_SZ and is supported starting with Windows
Server 2003, works in conjunction with the
LocalServer32 subkey to prevent any ambiguity when
using the
CreateProcess
function. LocalServer32 specifies the location of
the COM server application to launch, and this information is
passed as the first parameter lpApplicationName for
CreateProcess. Depending on the implementation of
CreateProcess, this information might be
ambiguous. For this reason, if ServerExecutable is
specified, COM passes the ServerExecutable named
value to the lpApplicationName parameter of
CreateProcess. If
ServerExecutable is not specified, COM passes
NULL as the value for the first parameter of
CreateProcess.

To help provide system security, use quoted strings in the path to
indicate where the executable filename ends and the arguments
begin.

Use the batch script
SLOPPY.CMD
to perform all the checks listed here and above.
For a more thorough check download, read and run the batch scripts
SLOPPY7X.CMD
and
SLOPPY7D.CMD.

Again: if you detect a simple filename or a
partial (relative) pathname instead of a full (absolute) pathname
in a call to a Win32 function that loads an executable
file, in a command line, in the
Registry,
in a DESKTOP.INI file etc. as well as an unquoted
argument in a command line, direct the author(s) of the vulnerable
software (for example) to the
MSDN
articles referenced above as well as
Guidelines For Developers
and request a fix for this well-known vulnerability!

The vulnerability fixed by
3121918
is listed as
CVE-2016-0014
in the
CVE®:
whenever an application used Win32 functions involving
the
Encrypting File System,
FEClient.dll was loaded using its simple filename
instead of its fully qualified (absolute) pathname
%SystemRoot%\System32\FEClient.dll.
Please notice the entries for January 2016 on
Acknowledgments – 2016.

For the execution of programs some, but not all (now fixed)
individual vulnerabilities due to insecure search path handling
only in Microsoft products are documented in the
MSKB
articles
264061,
269049,
2781197,
2823482
and
2847927,
plus the Security BulletinsMS00-052,
MS13-034
and
MS13-058.

The
MSKB
article
249321
but proposes to replace an absolute (full) pathname with a
simple filename which introduces this vulnerability!
Note: a Registry entry of type
REG_EXPAND_SZ with value
%SystemRoot%\System32\UserInit.exe avoids both errors!

Programs that are run from the user's Downloads directory
%USERPROFILE%\Downloads\, the Temp directory
%TEMP%\ alias
%USERPROFILE%\AppData\Local\Temp\ or
%SystemRoot%\Temp\ respectively, as well as the user's
Desktop directory %USERPROFILE%\Desktop\,
typically and especially (self-extracting or self-unpacking)
installers, almost always load some
DLLs from these
directories (which are their application directory), and
typically also execute their payload from there.

IExpress
installers like CAPICOM-KB931906-v2102.exe, a security
(sic!) update documented in the
MSKB
article
931906
and the Security BulletinMS07-028,
DotNETFX.exe and LangPack.exe for the
.NET Framework
versions 1.0, 1.1 and 2.0, and many more are
well-known examples for arbitrary code execution
vulnerabilities, and since Windows Vista due to
UACsinstaller detectionprivilege escalation vulnerabilities too!

All executable installers built with

InnoSetup load and execute DWMAPI.dll or
UXTheme.dll, …;

InstallShield load and execute
RichEd32.dll, …;

NSIS
before version 2.50 and 3.0b5 load and execute
ShFolder.dll, DWMAPI.dll or
UXTheme.dll, SetupAPI.dll, …;

Programs like
%SystemRoot%\System32\SysPrep\SysPrep.exe which
silently gain full administrative privileges per
UACs
auto-elevation (mis)feature in
protected administrator accounts and request administrative
privileges in standard user accounts, or programs like
%SystemRoot%\RegEdit.exe which request full
administrative privileges in protected administrator
accounts, execute these bogus or rogue
DLLs with full
administrative privileges too.

Note: since creation (or replacement) of files in
%SystemRoot%\ or
%SystemRoot%\System32\SysPrep\ needs administrative
privileges, this weakness alone does not allow
privilege escalation; together with
UACs
auto-elevation (mis)feature for
protected administrators, which can be (ab)used to create
(or replace) arbitrary files in %SystemRoot%\ and
below using the command line

Implementation and build details

SENTINEL.DLL and SENTINEL.EXE are pure
Win32 binary executables, written in
ANSI C
without the use of the
MSVCRT
libraries, built with the platform
SDK for
Windows Server 2003 R2 for use on
Windows 2000 and newer versions of
Windows NT.

on Windows Vista and newer versions of
Windows NT to extract all files into the specified
directory, preserving their paths.
Note:Expand.exe from prior versions
of Windows NT ignore the paths and junk them!
Use Extract.exe from the Support Tools
on Windows XP and Windows Server 2003
instead.

Installation

The installation requires administrative privileges.

The setup script
SENTINEL.INF
copies SENTINEL.DLL and SENTINEL.EXE
as %SystemRoot%\System32\.dll
and %SystemRoot%\System32\.exe,
as %SystemDrive%\Program.dll
and %SystemDrive%\Program.exe,
as "%ProgramFiles%\Common.dll"
and "%ProgramFiles%\Common.exe",
as "%ProgramFiles%\Internet.dll"
and "%ProgramFiles%\Internet.exe",
as "%ProgramFiles%\Microsoft.dll"
and "%ProgramFiles%\Microsoft.exe",
as "%ProgramFiles%\Windows.dll"
and "%ProgramFiles%\Windows.exe",
as "%CommonProgramFiles%\Microsoft.dll"
and "%CommonProgramFiles%\Microsoft.exe",
with various filenames into the user's Downloads directory
"%USERPROFILE%\Downloads\" and the system's
Temp directory %SystemRoot%\Temp\, creates
Software Restriction Policies
alias
SAFER
hash rules to allow execution of SENTINEL.DLL and
SENTINEL.EXE from any path, defines the message source
for the Event Log in the registry, creates an entry
Vulnerability and Exploit Detector under
Installed Updates, and finally executes both
SENTINEL.DLL and SENTINEL.EXE from the
installation directory to demonstrate and verify their correct
function.

Note: on systems with AMD64 alias
x64 processor architecture the installation
must be run in the native (64-bit) execution
environment to install SENTINEL.DLL and
SENTINEL.EXE for both processor architectures!

Automatic online installation

If visited with Internet Explorer, this web page will
prompt to install (the contents of) the package using
Internet Component Download.
Note: on systems with AMD64 alias
x64 processor architecture
Internet Explorer (x64)must be used!

Manual offline installation

Download the package
SENTINEL.CAB
and verify its digital signature, then open it in
Windows Explorer, extract its contents preserving the
directory structure, right-click the extracted setup script
SENTINEL.INF
to display its context menu and click Install to run the
installation.
Note:SENTINEL.EXE is run during
installation for every processor architecture and displays the
dialog box shown on top!

Notes: I dislike
HTML (and
even weirder formats too) in email, I prefer to receive plain text.
I also expect to see a full (real) name as sender, not a nickname!
Emails in weird formats and without a proper sender name are likely
to be discarded.
I abhor top posts and expect inline quotes in replies.

Terms and conditions

By using this site, you signify your agreement to these terms and
conditions. If you do not agree to these terms and conditions, do
not use this site!

The software and the documentation on this site are provided
as is without any warranty, neither express nor
implied.
In no event will the author be held liable for any damage(s)
arising from the use of the software or the documentation.

Permission is granted to use the current version of the software
and the current version of the documentation solely for personal
private and non-commercial purposes.
An individuals use of the software or the documentation in his or
her capacity or function as an agent, (independent) contractor,
employee, member or officer of a business, corporation or
organization (commercial or non-commercial) does not qualify as
personal private and non-commercial purpose.

Without written approval from the author the software or the
documentation must not be used for a business, for
commercial, corporate, governmental, military or organizational
purposes of any kind, or in a commercial, corporate, governmental,
military or organizational environment of any kind.

Redistribution of the software and the documentation is allowed
only in unmodified form of its current version and
free of charge.